44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
This 2 hour workshop will introduce you to Industrial Ethernet Switches and their vulnerabilities. These are switches used in industrial environments, like substations, factories, refineries, ports, or other other homes of industrial automation equipment. In other words, scada and ICS switches. You will gain familiarity with the basic usage of these switches, and do some very light traffic analysis and firmware reverse engineering.
Not only will vulnerabilities be disclosed for the first time (exclusively at 44CON), but the methods of finding those vulnerabilities will be shared. If you have never done any reverse engineering or firmware analysis, this might be a good place to start.
You will need to be familiar with a linux commandline, and the usage of tools such as BURP and wireshark. If you are an IDA Pro wizard we welcome your attendance, but we won’t be teaching you anything new. However, we will examine firmware and device embedded webservers with tools such binwalk, strings, grep, xxd, python, scapy, and compression utilities.
All vulnerabilities taught/disclosed will be in the default configuration state of the devices. While these vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years. So this work will be fresh and useful for your penetration tests in the future.
You might even find new vulnerabilities with the chance to play with these devices (which are being brought to 44CON for this workshop)!
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
1. Switches Get Stitches
Eireann Leverett
@blackswanburst
& Colin Cassidy
@partimesecguy
& Matt Erasmus
@undeadsecurity
Sep 11 02014
2. Outline of Workshop
General Introduction
The Switches
Required tools and les
Siemens Scalance Family Vulnerabilities
GE Multilink Family Vulnerabilities
Conclusion
3. Introduction
This is workshop on attacking industrial ethernet switches. We will be focussing
primarily on management plane attacks, with a goal to taking over management for the
device. We will not be playing around with routing attacks although we will discuss
them. This workshop is for you if:
I You work at a utility, and you deploy, provision, decommision, or test switches.
I You are comfortable at a linux commandline, and can hack web apps, but want to
get into embedded.
I You are a developer of embedded rmware and want to learn more about systems
security.
I You are an ohdae enthusiast who likes to watch the chaos.
I You can help us get My Little Pony running on a Leapfrog. We love your work!
4. ICS 101
What's the point?
In Industrial Control Systems we're focussed on protecting the control path not the
data. The process is what needs to be protected, not accounts, not data condentiality.
So the primary concern you have is integrity of process data. All other vulnerabilities,
must eventually lead to this, or are not relevant SCADA/ICS.
5. How does access to the switches work?
We only have 2 switches and they have a limited number of ports. We have also had
bad experiences in the past with large numbers of people pounding on them, they get
bricked. So instead of making them available to everyone in this room at the same time
today, we're leaving them up front on the table for you to visit. Please visit in pairs, to
perform the kind of attacks you're interested in. Working in pairs often allows the
second person to verify the attack succeeds, and cuts down on the load.
We have provided you with pcaps and scripts that mean much of your analysis can be
done on your own machine. So try to keep to 5-10 minutes on the device, or ask us to
demonstrate the attacks on the big screen.
You should only need to visit the switches to verify the things you have learned.
6. Underpants Gnomes == SCADA or ICS presentations
My esteemed colleague Jason Larsen has a simple challenge for the mind: You have
complete control over the process in a paint factory, now what do you do to attack the
process?
Or to put it dierently, most SCADA or ICS presentations go:
1. Steal underpants! (Pwn PLC/RTU/HMI)
2. ????
3. Prot!
Discuss.
7. Protocols 1: You have no integrity
There's precious little authentication in many SCADA protocols. There's even less
cryptographic integrity. This is often because of real time and safety constraints.
However, this also makes it our biggest path to abuse.
It is because these protocols use so little crypto, that attacking the switches is such an
eective means to compromise. Once compromised, you can recongure them to
exltrate data, or create malicious rmwares to MITM the process.
Why would we want to create malicious rmwares instead of route the data out and
back again? Discuss.
8. Protocols 2
I GOOSE
I modbus
I TASE.2
I 101/104
I DNP3
I mrph
I ICCP
I iec-104
I pronet/probus
I canbus
I C12.22
9. Introducing...
The Switches we will busticate
I Siemens Scalance X200 Version 4.3
I GE Multilin ML800 Version 4.2
However, these vulns work on other members of this switch family. More importantly
the techniques we use will be relevant for any work you do. We will gently take you
from web app style vulnerabilities, into light rmware reversing and binary analysis. So
if you're here to learn and practice, great. If you're a dapper reverse engineer, this
might bore you a little, but you can stay to watch me drop ohdae...
10. Tools
1. Linux commandline (XXD, tcptrace, strings, etc)
2. SNMP walk or other snmp interrogation tool
3. Wireshark/tshark
4. XXD or IDAPro or your hex-editor of choice (view only)
5. Python
11. Files
1. Siemens Python le (github)
2. Siemens Brute Forcer + pcap le
3. Siemens Session IDs File
4. zlibnder python
5. GE Pcap
6. GE DOS Python
12. IP Addresses and Credentials
1. GE ML800 is at 192.168.0.12 (HTTPS, Telnet, SNMP, Modbus)
2. Siemens Scalance X200 is at 192.168.0.13 (HTTP,Telnet, SSH, SNMP)
3. GE ML800 Credentials: manager/manager operator/operator
4. Siemens X200 Credentials: admin/admin user/user
13. Siemens X200 Authentication 1
Firstly open up the pcap le, and see the ow back and forth. Now, to see if we can
recover the passwords!
We need to know 3 things:
1. Hash Function Used
2. Salt or Nonce? Yes, no, format of either?
3. Precise string format before hashing
Q: So how can we learn this information?
14. Siemens X200 Authentication 2
From the webpage (if it is clientside)!
Run tcptrace on the pcap, and nd the login page. Search the page and nd the
hashing function.
Q: What is the format of the string before hashing?
First to answer gets a sticker...
15. Siemens X200 Authentication 2
A: user:admin:nonce
Useful command
echo -n admin:password:C0A800020002F72C | md5sum
The nonce is given to us in the previous HTTP response or previous HTTP request.
The nonce is interesting and useful cryptographically in that it prevents crypto replay
attacks. However, it also xes a string in our brute force (sux), as does the user
name (prex). This means we can brute force these hashes very easily.
If you want to take a few minutes to write an MD5 cracker for this switch, we'll give an
example on the next slide.
16.
17. Siemens Nonces/Session Analysis
Open up BURP and prepare to analyse the nonce/session IDs.
If you can't use Burp, then you just use WGET to fetch any webpage a few times in
rapid succession. Alternatively, examine the Sessions.txt le provided.
Q: See any patterns?
Discuss.
18. Siemens Nonces/Session Analysis Answer
Switch.....please!
I C0A8006500000960
I C0A8006500001A21
I C0A80065000049A6
I C0A8006500005F31
I C0A800610007323F
Q: See any patterns? Discuss.
19. Siemens Nonces/Session Analysis Answer
Switch.....please!
I C0A8006500000960
I C0A8006500001A21
I C0A80065000049A6
I C0A8006500005F31
I C0A800610007323F
Q: See any patterns? Discuss.
20. Siemens Nonces/Session Analysis Answer
Switch.....please!
I C0A80065 ) 192.168.0.97 (this is the CLIENTSIDE address)
I 0007323F ) 471615 in base 10 (Uptime + 1 of course)!
I snmpwalk -Os -c public -v 1 192.168.0.5
I iso.3.6.1.2.1.1.1.0 = STRING: Siemens, SIMATIC NET, SCALANCE X204-2,
I 6GK5 204-2BB10-2AA3, HW: 4, FW: V4.03
I iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.4196.1.1.5.2.22
I iso.3.6.1.2.1.1.3.0 = Timeticks: (471614) 1:18:36.14
21. Siemens Scalance Authentication Bypass
A simple unauthenticated HTTP request will allow you to:
Download
I Log File
I Conguration (including password hashes)
I Firmware
Upload
I Conguration (including password hashes)
I Firmware
22. Auth Bypass Demo
Be VERY thoughtful before using this tool to bypass authentication and change
conguration.
Changing IP address or DHCP can screw you up.
DON'T FRAG the switch for the next student!
Changing authentication can be a pain.
You need a previously KNOWN cong!
I have provided one for your verication needs...
admin/admin
users/user
23. Siemens Switch Conclusion
These vulns are patched, but maybe you can nd new ones. Also, even though a patch
exists, patch times in ICS/SCADA are regularly 12-18 months after the patch is
released. You should be able to use these tools for quite a while!
In fact as of today...there still a few on Shodan.io using the old rmware...
24. This vulnerability reported to GE on May 17 02014 : 148 days ago
nearly 5 months ago!
They do not have a x yet, I'll let you be the judges.
25. GE ML800 Key
We have captured network trac from the wire interacting with the GE ML800 web
admin interface. Within this session we have performed a switch rmware upgrade.
This session is in HTTPS, but the rmware upgrade happens over FTP, so we are able
to see the rmware le in clear text.
We use tcptrace to carve out the les (All hail Ostermann!):
tcptrace -n -e rmware-upgrade.pcapng
26. GE ML800 Key
We note that right away, one stream stands out:
tcptrace stream
33: 192.168.0.97:20 - 192.168.0.12:1025 (bm2bn) 1356 971 (complete)
Primarily because it is a larger stream, but also those ports are interesting, and nally
we can see it is a complete stream.
27. GE ML800 Key
The le command doesn't help us much:
le results
I le bm2bn_contents.dat
I bm2bn_contents.dat: data
28. GE ML800 Key
We run strings on this structure, and we nd a lot of random rubbish, but a few pages
down we get some clues.
Strings output
I deate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
I inate 1.1.3 Copyright 1995-1998 Mark Adler
So it's compressed!
29. GE ML800 Key
Attempting to deate the whole thing fails abyssmally. So we resort to searching for
zlib streams in the le with a little help from python. Basically, we iterate over every
byte to see if we can nd sections of the le that do not produce zlib errors. When we
nd some sections of the le that are legitimate zlib streams.
Output of ZLIB-Finder.py
I Please enter the lename you wish to analyse: bm2bn_contents.dat
I (41576, 4098384)
I (1931471, 0)
30. GE ML800 Key
Well, let's carve out that compressed section shall we?
Output of dd
I dd if=bm2bn_contents.dat of=compressed.bin skip=41576 bs=1 count=4098384
I 1889896+0 records in
I 1889896+0 records out
I 1889896 bytes (1.9 MB) copied, 2.62979 s, 719 kB/s
31. GE ML800 Key
Now we need to concatenate the magic string to make gzip think it's a valid le and
decompress it:
magic byte foo
printf x1fx8bx08x00x00x00x00x00 | cat - compressed.bin
| gzip -dc decomp.bin
Which does give us some errors which suggest we might have the length of our dd
command wrong. However, we still get some sensible material out of the
decompression. To see that, load it up in IDA, or just use strings or xxd.
32. GE ML800 Key
For example, I love just running this on all kinds of embedded rmwares:
Command
xxd decomp.bin | grep -A 20 '42 4547 494e 2052 5341 2050 5249 5641' | less
Which gives you nice little details such as:
RESULT!
0036750: 2d42 4547 494e 2052 5341 2050 5249 5641 -BEGIN RSA PRIVA
Copy and paste this key into a le.
33. GE ML800 Key
Now if we load it into wireshark using port 443 IP 192.168.0.12 and protocol http, we
can even use it to see the session which preceded the rmware upload. This means we
can conrm the key decrypts SSL trac and we can even see the user name and
password for the device in packet 639.
34. But wait! There's more!
The OEM for this switch is Garretcom (now owned by Belden). So does this default
key aect them? Let's wait and see...
35. I waited nearly 5 months for GE/Garretcom to conrm a patch for this default key.
Personaly, I think it would have been more responsible for them to anounce the key
compromise immediately and work towards the patch after informing their customers.
My recommendations at this time are to update the SSL key over a serial or other point
to point connection where you can visually conrm no MITM. After that, change the
passwords on the device, since they are not hashed, and thus can be returned to
cleartext from the SSL/TLS ciphertext.
36. Where can we go with these attacks, and what about the underpants gnome?
Towards control of the process
I Start examining if binary patching of the rmware can be achieved?
I Is there rmware codesigning?
I Can it be bypassed?
I Altering the switch conguration to exltrate process data.
I DoS attacks, to disrupt the process.
I Basically any MITM attack at this point can disrupt, alter, or drop process trac.1
1With the exception of real time system constraints
37. Conclusion
Today we learned
I Session ID Analysis
I Brute forcing MD5+NONCE
I Binary Analysis
I Decompressions
I Key Extraction
I SSL decryption
I How to drop ohdae
38. Outro
Thanks to some peeps for random things...
I Reid Nice guy Wightman
I Yvan I know. Jannsens
I Jason Water Hammer Larsen
eireann.leverett@ioactive.com
GPG: 9E1D 1459 CB1C DC9F 5638 786C 6EAB 21C0 38D1 57B8
Matt@zonbi.org
GPG: 3153 47EE C078 C484 C2BC 814D E5B3 52A8 4493 4B37
colin.cassidy@ioactive.com
GPG: 5B1C A26A 8B8E DF82 C338 B1B1 8BD3 0446 451C 872B